Recent fix in handling vc-tor

Recent fix in handling vc-tor

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

The bug that made setting vc-tor a no-op was particularly treacherous.
since the feature led people to believe they got some protection
for their privacy, but it didn';t actually work.

I think we should release a 28.3 with this change, and fairly soon,
even if no other changes are needed.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Re: Recent fix in handling vc-tor

[Lars Ingebrigtsen]

Richard Stallman <rms@gnu.org> writes:

> The bug that made setting vc-tor a no-op was particularly treacherous.
> since the feature led people to believe they got some protection
> for their privacy, but it didn';t actually work.
>
> I think we should release a 28.3 with this change, and fairly soon,
> even if no other changes are needed.

vc-tor is for using VC commands via Tor?

Emacs does not, in general, work well with Tor -- Emacs leaks all over
the place (especially w.r.t. DNS lookups), so somebody trying to retain
full privacy by setting that variable will probably be found out anyway.

But it does seem like a pretty bad problem, even if I expect that
virtually nobody is using vc-tor, so perhaps we should do an Emacs 28.3
release.  I'm not at all sure, though.  Eli, what do you think?

Re: Recent fix in handling vc-tor

[Lars Ingebrigtsen]

Lars Ingebrigtsen <larsi@gnus.org> writes:

>> The bug that made setting vc-tor a no-op was particularly treacherous.
>> since the feature led people to believe they got some protection
>> for their privacy, but it didn';t actually work.
>>
>> I think we should release a 28.3 with this change, and fairly soon,
>> even if no other changes are needed.
>
> vc-tor is for using VC commands via Tor?

Oh, OK, now I've read the code and bug#57870.

Richard added the variable in 2019, but it never worked?  And Sean has
now fixed the problem in Emacs 29, so that it actually does something.

So I don't think this warrants releasing a new Emacs 28.3 -- I doubt
anybody has used this, and it's never worked, so it's not a regression.

Re: Recent fix in handling vc-tor

[Philip Kaludercic]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Richard Stallman <rms@gnu.org> writes:
>
>> The bug that made setting vc-tor a no-op was particularly treacherous.
>> since the feature led people to believe they got some protection
>> for their privacy, but it didn';t actually work.
>>
>> I think we should release a 28.3 with this change, and fairly soon,
>> even if no other changes are needed.
>
> vc-tor is for using VC commands via Tor?
>
> Emacs does not, in general, work well with Tor -- Emacs leaks all over
> the place (especially w.r.t. DNS lookups), so somebody trying to retain
> full privacy by setting that variable will probably be found out anyway.

All `vc-tor' does is wrap a vc program invocation using torsocks.  If
that is leaky, then torsocks is broken.

> But it does seem like a pretty bad problem, even if I expect that
> virtually nobody is using vc-tor, so perhaps we should do an Emacs 28.3
> release.  I'm not at all sure, though.  Eli, what do you think?

Re: Recent fix in handling vc-tor

[Stefan Kangas]

Philip Kaludercic <philipk@posteo.net> writes:

> All `vc-tor' does is wrap a vc program invocation using torsocks.  If
> that is leaky, then torsocks is broken.

Are we sure Emacs isn't doing some other funny business?  Only in Emacs
29 did we stop `ffap' from randomly making DNS lookups, for example.

IOW, shouldn't you rather be using something like

    torsocks emacs

if you care about privacy?

Re: Recent fix in handling vc-tor

[Eli Zaretskii]

> From: Lars Ingebrigtsen <larsi@gnus.org>
> Cc: emacs-devel@gnu.org, "'Eli Zaretskii'" <eliz@gnu.org>
> Date: Thu, 22 Sep 2022 12:51:59 +0200
> 
> But it does seem like a pretty bad problem, even if I expect that
> virtually nobody is using vc-tor, so perhaps we should do an Emacs 28.3
> release.  I'm not at all sure, though.  Eli, what do you think?

I'm not sure myself.

Do we have any practical way of telling how much is vc-tor used?  The
only 2 people whom I ever heard asking about that both use the master
branch, so they already have the fix.

Re: Recent fix in handling vc-tor

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Are we sure Emacs isn't doing some other funny business?

I don't suppose we are -- but how can we check?

                                                              Only in Emacs
  > 29 did we stop `ffap' from randomly making DNS lookups, for example.

Fortunately I don't use ffap, but others do, so I am glad we fixed this.

Is there a way we can systematically log all attempts to connect to anything
on the net, to make sure we know what all of them do?

    IOW, shouldn't you rather be using something like

        torsocks emacs

    if you care about privacy?

That seems a little extreme and inflexible.




-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Re: Recent fix in handling vc-tor

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Richard added the variable in 2019, but it never worked?

I don't think I wrote the code, though I can't remember.
The crucial point is that it DID NOT VISIBLY FAIL.
Anyone using it would have assumed it was working as documented.

We should not become rigidly attached to a rule about regressions.
There are other things that affect the gravity of a problem.


-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Re: Recent fix in handling vc-tor

[Robert Pluim]

>>>>> On Thu, 22 Sep 2022 23:16:55 -0400, Richard Stallman <rms@gnu.org> said:


    Richard> Is there a way we can systematically log all attempts to connect to anything
    Richard> on the net, to make sure we know what all of them do?

strace --follow-forks --trace=%net emacs

If you want to do it within Emacs youʼd need to write some code (and
it wouldnʼt cover subprocesses).

    >     IOW, shouldn't you rather be using something like

    >         torsocks emacs

    >     if you care about privacy?

    Richard> That seems a little extreme and inflexible.

If you want to be sure youʼre using torsocks for everything, thatʼs
what you need to do (although I havenʼt checked if torsockʼs
LD_PRELOAD tricks get passed on to Emacsʼ child processes, so maybe
even that is not enough).

Robert
--